Actually, it's a lot easier than that. Yes, you can use URL rewriting, like with mod_rewrite in apache, or define alternate executable paths, like you would do for mod_perl, but there's actually a concept in CGI called PATH_INFO. It allows you to pass arguments without needing the question mark to deliniate a QUERY_STRING:

http://server:port/path/script/PATH_INFO

Of course, the problem is that most web server administrators go with the default CGI script location of 'cgi-bin', or 'cgi' or something similar, which would be a giveaway. The only real requirement is that you have access to define which files get executed. This control may have been delegated to .nsconfig or .htaccess files, depending on the setup.

And of course, there's also the use of other dynamicly generated pages, other than CGI, such as by using SSI, ColdFusion, PHP, ASP, or any other text-preprocessor. Of course, once again, you will need to have that parsing configured on the webserver, but it's possible to either use only index pages, and refer to them as directories, so that the browser never sees the file extension, or to configure something like the old execute hack in Netscape web server. (if the file is marked as being executable, no matter its extension, it gets parsed or executed, or whatever you want).